I am having a little trouble getting Spring Security and JSF to work together properly. I have created a basic login page that returns a "login" outcome when the Login button is clicked. However, I am getting a 404, "Failed to find resource /j_spring_security_check.jsp." For some reason, it is tacking a .jsp at the end of my specified in my faces-config. I was able to get this working by doing a code-side redirect in an action method (ie: context.redirect(root + "/j_spring_security_check?j_username=" + userName + "&j_password=" + password); ). I would really like to put the j_spring_security_check in my faces-config, though. My code is shown below:

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>BBB_WEB</display-name>
<context-param>
<description>
Comma-delimited list of context-relative resource paths
under which the JSF implementation will look for application
configuration resources, before loading a configuration
resource named /WEB-INF/facesconfig.xml (if such a resource
exists).
</description>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value></param-value>
</context-param>
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.jsp</param-value>
</context-param>
<!-- <context-param>-->
<!-- <param-name>facelets.LIBRARIES</param-name>-->
<!-- <param-value>/WEB-INF/tomahawk.taglib.xml</param-value>-->
<!-- </context-param>-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext.xml
classpath:applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<description>
The location where state information is saved. Valid values
are 'server' (typically saved in HttpSession) and 'client'
(typically saved as a hidden field in the form. Default is
server.
</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<description>
Number of Views to be stored in the session when Server-Side
State Saving is being used. Default is 15.
</description>
<param-name>
com.sun.faces.NUMBER_OF_VIEWS_IN_SESSION
</param-name>
<param-value>15</param-value>
</context-param>
<context-param>
<description>
If set to true while server-side state saving is being used,
a serialized representation of the view is stored on the
server. This allows for failover and sever clustering
support. Default is false. This parameter is not available
in JSF 1.0.
</description>
<param-name>com.sun.faces.enableHighAvailability</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>
If set to true while client-side state saving is being used,
reduces the number of bytes sent to the client by
compressing the state before it is encoded and written as a
hidden field. Default is false. This parameter is not
available in JSF 1.0.
</description>
<param-name>com.sun.faces.COMPRESS_STATE</param-name>
<param-value>false</param-value>
</context-param>
<listener>
<listener-class>
com.sun.faces.config.ConfigureListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>/jsp/public/login.jsf</welcome-file>
</welcome-file-list>
</web-app>

Comment or delete the following lines in Web.xml... that is making the default suffix to jsp...

<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.jsp</param-value>
</context-param>
Hope that worked. The question is a bit old but the fix might be helpful to others...

If so, you need to configure a Webcontainer custom property in your local server and set "com.ibm.ws.webcontainer.invokefilterscompatibility" to "true". I have the same problem running Spring Security 3.x in Websphere 6.1, and that fixed it.

By the way, I see that your error message is "Failed to find resource /j_spring_security_check.jsp.". You shouldn't have ".jsp" in that link, it should be just "/j_spring_security_check". Fix that, and it should work for you.

Yes I am running on Websphere, thanks for the tip, I am going to try that shortly. As far as the error message ending in jsp, that's my problem. I don't know why it is sticking .jsp extension at the end of it. In my faces-config, I have the to-view-id as follows: <to-view-id>/j_spring_security_check</to-view-id>
–
JSF_Spring_DummyDec 10 '10 at 15:32

I already had the specified custom property above set to true.
–
JSF_Spring_DummyDec 10 '10 at 15:41